1 of 24 | Page

CAIdentityManagerProvisioningRunbookforImageWareSystems,Inc.

BiometricAuthenticationService

2 of 24 | Page

LegalNoticeThisDocumentation,which includesembeddedhelpsystemsandelectronicallydistributedmaterials,(hereinafterreferredtoasthe“Documentation”)isforyourinformationalpurposesonlyandissubjecttochangeorwithdrawalbyCAatanytime.

ThisDocumentationmaynotbecopied,transferred,reproduced,disclosed,modifiedorduplicated,inwhole or in part, without the prior written consent of CA. This Documentation is confidential andproprietaryinformationofCAandmaynotbedisclosedbyyouorusedforanypurposeotherthanasmay be permitted in (i) a separate agreement between you and CA governing your use of the CAsoftwaretowhichtheDocumentationrelates;or(ii)aseparateconfidentialityagreementbetweenyouandCA.

Notwithstandingtheforegoing,ifyouarealicenseduserofthesoftwareproduct(s)addressedintheDocumentation, you may print or otherwise make available a reasonable number of copies of theDocumentationforinternalusebyyouandyouremployeesinconnectionwiththatsoftware,providedthatallCAcopyrightnoticesandlegendsareaffixedtoeachreproducedcopy.

The right toprintorotherwisemakeavailable copiesof theDocumentation is limited to theperiodduring which the applicable license for such software remains in full force and effect. Should thelicenseterminateforanyreason,itisyourresponsibilitytocertifyinwritingtoCAthatallcopiesandpartialcopiesoftheDocumentationhavebeenreturnedtoCAordestroyed.

TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS”WITHOUTWARRANTYOFANYKIND,INCLUDINGWITHOUTLIMITATION,ANYIMPLIEDWARRANTIESOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSE,ORNONINFRINGEMENT.INNOEVENTWILLCABELIABLETOYOUORANYTHIRDPARTYFORANYLOSSORDAMAGE,DIRECTORINDIRECT,FROMTHE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOSTINVESTMENT,BUSINESSINTERRUPTION,GOODWILL,ORLOSTDATA,EVENIFCAISEXPRESSLYADVISEDINADVANCEOFTHEPOSSIBILITYOFSUCHLOSSORDAMAGE.

The use of any software product referenced in the Documentation is governed by the applicablelicenseagreementandsuchlicenseagreementisnotmodifiedinanywaybythetermsofthisnotice.

ThemanufacturerofthisDocumentationisCA.

Providedwith“RestrictedRights.”Use,duplicationordisclosurebytheUnitedStatesGovernment issubject to the restrictions set forth in FARSections12.212,52.227-14, and52.227-19(c)(1) - (2) andDFARSSection252.227-7014(b)(3),asapplicable,ortheirsuccessors.

Copyright © 2016 CA. All rights reserved. All trademarks, trade names, service marks, and logosreferencedhereinbelongtotheirrespectivecompanies.

3 of 24 | Page

TableofContentsLegalNotice.......................................................................................................................................2

TableofContents...............................................................................................................................3

Support..............................................................................................................................................4ContactCATechnologies........................................................................................................................................................................4Productdocumentationfeedback.......................................................................................................................................................4Chapter1:Introduction......................................................................................................................5Overview........................................................................................................................................................................................................5Theprovisioningprocess.......................................................................................................................................................................5CAprerequisites...........................................................................................................................................................................................5ImageWareSystems,Inc.prerequisitesforCAcustomers........................................................................................................5

Chapter2:Configure/provisionCAIdentityManager(12.6).............................................................6UsetheSCIMconnectortoacquireImageWareSystemsGMIServerendpoint.............................................................6Createanendpoint.....................................................................................................................................................................................6Createan“exploreandcorrelate”definition..................................................................................................................................9Createaccounttemplates.....................................................................................................................................................................12Createaprovisioningrole....................................................................................................................................................................13SetupPolicyXpress.................................................................................................................................................................................16

Chapter3:ConfiguretheImageWareSystemsGMIServerendpoint................................................17ConnectwithImageWareSystems,Inc.........................................................................................................................................17Tenantrequirements.............................................................................................................................................................................17ImageWarerequirements...................................................................................................................................................................17ImageWareSystem’sGMIAdminPortal.......................................................................................................................................18

Chapter4:TestprovisioningtotheGMIServerendpoint.................................................................19Provisionauser.......................................................................................................................................................................................19Modifyauser............................................................................................................................................................................................19Deprovisionauser..................................................................................................................................................................................19ConfirmthatuserwasprovisionedordeprovisionedintheGMIAdminPortal.........................................................20

Chapter5:ExceptionHandling.........................................................................................................21

Chapter6:Summary........................................................................................................................22

Appendices:CAScalabilityTesting...................................................................................................23AppendixA:TestingChecklist...........................................................................................................................................................23AppendixB:SpecialCharacterTesting..........................................................................................................................................23AppendixC:AdditionalCRUDTesting...........................................................................................................................................23

4 of 24 | Page

SupportThis document is produced by ImageWare Systems, Inc. (www.iwsinc.comorsupport@iwsinc.com),onbehalfofCATechnologiesInc.(www.ca.com).

ContactCATechnologies

Foryourconvenience,CATechnologiesprovidesonesitewhereyoucanaccesstheinformationthatyouneedforyourHomeOffice,SmallBusiness,andEnterpriseCATechnologiesproducts.Athttp://ca.com/support,youcanaccessthefollowingresources:

● Onlineandtelephonecontactinformationfortechnicalassistanceandcustomerservices● Informationaboutusercommunitiesandforums● Productanddocumentationdownloads● CASupportpoliciesandguidelines● Otherhelpfulresourcesappropriateforyourproduct

Productdocumentationfeedback

If you have comments or questions about CA Technologies product documentation, you cansendamessagetotechpubs@ca.com.

ForfeedbackorquestionsaboutImageWareSystems,pleasecontactsupport@iwsinc.com

5 of 24 | Page

Chapter1:Introduction

Overview

The scope of this document is to provide the necessary steps required to configure theprovisioning endpoint connection between CA Identity Manager 12.6, and the ImageWareSystemsGMIServerendpoint.

Theprovisioningprocess

Theendpointprovisioningprocesscontainsthefollowingsteps:

1. Installandconfiguretheprerequisites

2. ConfigureprovisioningforIdentityManager

3. ConfiguretheServiceProviderendpoint

4. Testtheprovisionedendpoint

CAprerequisites

● InstallCAIdentityManager12.6Suite● Configureuserdirectoryandprovisioningdirectory● CreateanIdentityManagerenvironment● ImportRolesandTasksforSCIMendpointtypes

ImageWareSystems,Inc.prerequisitesforCAcustomers

In order to set up and use the ImageWare out-of-band biometric identity authenticationcomponent,thereareanumberofrequiredprerequisites:

● CustomerhasestablishedatenantrelationshipwithImageWareSystems:● EitherthecustomerhasestablishedatenantrelationshipdirectlywithImageWare;

or● ThecustomerhasattachedthemselvestoCATechnologiesasatenant-client,using

CATechnologies’tenantrelationshipwithImageWareSystems,Inc.● Customer has established an appropriate client credential token for use in creating

(provisioning)andremoving(de-provisioning)usersintheGMIsystem● The ImageWareGMI system is setup for CA IdentityManager integrationby configuring

theGMIUserIDattributeasimmutable● End-user is in possession of a mobile device that has either the GoVerifyID™ mobile

application or a GoVerifyID-enabled application designated for providing biometricenrollmentandverificationthroughtheGMIServersuite

● End-user has enrolled their biometrics to support future CA IdentityManager biometricidentityverificationrequests

6 of 24 | Page

Chapter2:Configure/provisionCAIdentityManager(12.6)

UsetheSCIMconnectortoacquireImageWareSystemsGMIServerendpoint

Createanendpoint

Toacquireanendpoint:

1. LogintoCAIdentityManagerandnavigatetoEndpoints→ManageEndpoints→CreateEndpoint.

2. ClicktheCreateanewendpointofEndpointTypedrop-downmenuandselectSCIM.

3. ClickOK.TheCreateSCIMEndpointformopenswiththeEndpointtabopenbydefault.

4. Enterthefollowingintheappropriatefields:

7 of 24 | Page

FieldName Description

EndpointName Nameofyourendpointasyoudetermineappropriate

Description Optional

SCIMBaseURL https://<GMI_SERVER_FQDN>/gmiserver/v1

SCIMAuthenticationMethod

OAuth2.0withClientCredentials

Username N/A

Password/Confirm N/A

SCIMOAuthTokenEndpointURL

https://<GMI_SERVER_FQDN>/usermanager/oath/token

NOTE:ThisfieldisrequiredwhentheOAuthauthenticationmethodisselected

SCIMOAuthClientID RelevantSCIMOAuthClientID(thisinformationiscustom-definedforapartnerandisavailablebycontactingImageWareSystemsatsupport@iwsinc.com) NOTE:ThisfieldisrequiredwhentheOAuthauthenticationmethodisselected

SCIMOAuthClientSecret

RelevantSCIMOAuthClientSecret(thisinformationiscustom-definedforapartnerandisavailablebycontactingImageWareSystems,Inc.atsupport@iwsinc.com)

SCIMOAuthScope IGNORED,orsomeotherstring(optional) NOTE:ThisfieldisrequiredwhentheOAuthauthenticationmethodisselected

OAuthAdditionalParameters None(optional)

DefaultAccountTemplate

SeeExploreandcorrelatedefinition

5. ClicktheEndpointSettingstab.

8 of 24 | Page

NOTE:ThistabiscustomizedbyCAortherelevantsiteorsystemadministrator.Eachsettingiscustomizedbaseduponthedesiredbehaviorregardingdisablinganddeletingaccountsontheendpoint.

6. Whenanycustomsettingshavebeenenteredonthistab,clicktheAttributeMappingtab.

NOTE:Thistabcanbeoptionallychangedifneeded,butinmostcasesitisrecommendedthatuserskeeptheout-of-boxmapping.

7. Whenanycustomsettingshavebeenenteredonthistab,clickSubmittosaveallendpointsettingsontheCreateSCIMendpointform.

9 of 24 | Page

Createan“exploreandcorrelate”definition

To add users to an endpoint, youmust create an “explore and correlate” definition for thatendpoint. “Explore” identifies the accounts in the endpoint, and “Correlate” matches thoseaccountswitheitherexistingusersinCAIdentityManagerorcreatesthoseusers/accounts.

1. Navigate to Endpoints→ Explore and Correlate Definitions→ Create Explore andCorrelateDefinition.Acreateneworcreatefromcopyformopens.

2. SelectCreateanewobjectoftypeExploreandCorrelateandthenclickOK.ACreate

ExploreandCorrelateDefinitionformopens.

3. EnteranExploreandCorrelateName(thiscanbeanystringoftextrequired).

10 of 24 | Page

4. ClickSelectContainer/Endpoint/Exploremethod.ASelectEndpointformopens.

5. ClicktheSearchforanendpointofEndpointTypedrop-downmenuandselectSCIM.

6. SearchforandSelecttheEndpointcreatedinEndpointcreation.ASelectContainerformopens.

7. ClickSearchandthenplaceacheckmarknexttothecontainersfromwhichyouwishtoacquiredata,suchasAccounts,Groups,andsoforth.

11 of 24 | Page

8. ClickSelect.TheCreateExploreandCorrelateDefinitionformisnowpopulatedwiththedatayouselected.

9. SelectthecorrectExploreandCorrelateactions:

● Exploreendpointformanagedobjects

● Updateuserfields

● Correlateaccountstousers→Createusersasneeded

10. ClickSubmit.Aconfirmationwindowshouldopen.

11. ClickOK.

12. ClickEndpoints→ExecuteExecuteExploreandCorrelate.

13. SelectExecuteNowandthenclickNext.

14. ClickBrowse to locate the Explore and Correlate definition created in this section. ASelectExploreandCorrelateDefinitionformopens.

15. ClickSearch.Alistofpossibleexploreandcorrelatedefinitionsopens.

12 of 24 | Page

16. SelectthecorrectExploreandCorrelateDefinitionandthenclickSelect.

17. ClickFinishtobeginexecution.Aconfirmationwindowshouldopen.

Createaccounttemplates

To simplify accountmanagement, the recommended best practice is to create andmaintainaccounts using Account Templates, which are then used in provisioning Roles. Standardizingaccount maintenance through templates allows the administrator to control which accountattributesareaffiliatedwithwhichEndpointswhenuseraccountsarecreated.

1. Tocreateanaccount template,navigate toEndpoints→ManageAccountTemplates→CreateAccountTemplate.ACreateAccountTemplateformopens.

2. Click the Create a new account template of Endpoint Type drop-down menu and selectSCIM.

3. ClickOK. TheCreate SCIMAccount Template formopenswith theAccount Template tabopenedbydefault.

4. Enter an Account Template Name. This field can be named anything you determineappropriate.

5. ClicktheEndpointstab.

6. ClickAddSCIMEndpoint.TheFindEndpointssearchformopens.

13 of 24 | Page

7. SearchforandSelecttheEndpointcreatedinEndpointcreation.TheCreateSCIMAccountTemplatenowcontainstheselectedendpoint.

8. InregardtotheAccount,AccountContainer,User,Contact,andGroupMembershiptabs:

● Account,User,andContactmappingcanbemodifiedasneeded,butinmostcasesthedefaultvaluesshouldbeused, forexampleusethe%AC%(AccountName) rulestringfortheUserNameattribute.Theusernamevaluemustbemaintainedoverthelifeoftheprovisionedaccountandthereforemustbeanimmutableattributeliketheaccountname.

NOTE: For demonstration purposes inGoVerifyID, the email address isusedforaccountname—thisiswhattheGoVerifyIDapplicationrequiresduring registration. It is expected that integration with an existingIdentity Manager will involve synchronizing this user name valuebetween IdentityManager and the customized GoVerifyID application;anappropriateuserprofileattributeshouldbechosen.

● AccountContainertabshouldremainunchanged

● GroupMembershipcanbeoptionallyconfigured

9. Whenyouhavecompletedanyadditionalchangestothesetabs,clickSubmit.

AConfirmationmessageshouldopen.ClickOK.

Createaprovisioningrole

Aprovisioning role contains one ormore account templates.When you apply that role to auser,theuserreceivestheaccountsthatwerepreviouslydefinedbythetemplates.

1. Tocreateaprovisioningrole,navigatetoRolesandTasks→ProvisioningRoles→CreateProvisioningRole.ACreateneworCreatefromcopyformopens.

2. SelectCreateanewprovisioning role and thenclickOK.ACreateProvisioningRole formopenswiththeProfiletabopenedbydefault.

3. EnteraProfileName.Thisfieldcanbenamedanythingyoudetermineappropriate.

4. ClicktheAccountTemplatestab.

14 of 24 | Page

5. ClickAddAccountTemplate.TheSelectAccountTemplatesearchformopens.

6. FromtheSearchforanaccounttemplateofEndpointTypedrop-downmenu,selectSCIM.

7. Search for and Select the account template created in Create account templates. TheCreateProvisioningRoleform→AccountTemplatestabnowcontainstheselectedaccounttemplate.

8. DonotmakechangestotheProvisioningRolestab.

9. ClicktheAdministratorstab.

Administratorscanaddandremovemembersoftheprovisioningrole.

10. ClickAdd.TheAdminPolicyformopens.

On this form, you can select from a variety of parameters to create administrator roles,privileges,scope,andownershiplevels.Settherulesandguidelinesthatestablishtheuserswho will be administrators of this provisioning role, and which users they can manage.Whenyouhavecompletedaddingadministratorusers,clickOK.

15 of 24 | Page

11. ClicktheOwnerstab.

Ownersareuserswhocanmodifyanddeletetheprovisioningrole.

12. ClickAdd.TheOwnerRuleformopens.

Onthisform,youcanestablishtherulesforwhichuserswillbeownersofthisprovisioningrole.Whenyouhavecompletedaddingownerusers,clickOK.

13. ClickSubmittocompleteaddingthisprovisioningrole.

AConfirmationmessageshouldopen.ClickOK.

16 of 24 | Page

SetupPolicyXpress

Policy Xpress is used to create complex business logic (or policies) in CA Identity Managerwithoutdevelopingcustomcode.ThistoolcanautomateendpointprovisioningbyassigningtheappropriateProvisioningRole(s)wheneveranewUseriscreated.

1. NavigatetoPolicies→PolicyXpress→CreatePolicyXpressPolicy.

2. SelectCreateanewobjectoftypePolicyXpress.

3. OntheProfiletab:

a. Completeallfields,selectingSubmittedTaskasthePolicyType.b. ProvideaCategoryNameorselectonefromthelist.

4. OntheEventstab:

a. SelectTaskStartedastheEventStateb. SelectCreateUserastheEventName

5. OntheActionRulestab:

a. AddActionwhenMatched○ Category:Roles○ Type:SetProvisioningRole○ Function:Add○ ProvisioningRoleName:Selecttheprovisioningroleforyourendpoint

6. Totest:

a. NavigatetoUsers→ManageUsers→CreateUserandthencreateanewuserb. From the endpoint user interface, verify that the new user was automatically

createdonthecorrectendpoint.

NOTE:FormoreinformationonhowtocreatePolicyXpressPolicies,refertothePolicyXpresssectionoftheCAIdentityManagerdocumentation.Thiscanbefoundathttps://wiki.ca.com.

17 of 24 | Page

Chapter 3: Configure the ImageWare Systems GMI Serverendpoint

ConnectwithImageWareSystems,Inc.

FollowthestepsgivenbelowtoconfiguretheImageWareSystemsGoMobileInteractive(GMI)Serverendpoint:

1. Contact ImageWareSystemsSupport team(support@iwsinc.com) tobegin theprocessofsetting up the ImageWare Systems GMI Server. The sections in this chapter provide ageneraloverviewofwhatthisprocessentailsforbusinesspartners(calledTenants)suchasCATechnologies.

2. SeetheImageWareSystems,Inc.prerequisitesforCAcustomerssectionofthisdocument.

Tenantrequirements

Tenants who use ImageWare's GoVerifyID client application or service and / or GMIserverapplicationlayerwillneedtoremainawareofthefollowingrequirements:

� Tenants must establish a tenant relationship with ImageWare and use the methodsprovidedbyImageWaretoengagewithImageWare'sGMIserverapplayer.

� GMIServerAPIare implementedviaRESTfulHTTPcallsoverSSL.ResponsesareJSON-encoded. EachAPI REST callmadeby tenant’s serversmust contain an authenticatedclientorresourceownerOAuth2.0bearertokengeneratedusingcredentialsprovidedbyImageWareforeachtenantinstallation.

� Tenants are further responsible to provision their authorized end-users through theGMIServerAPI or theGMIAdminPortal (aweb-based interface formanaging Tenantaccounts).

ImageWarerequirements

ImageWarewill:

� Createthetenant’sprofileonImageWareservers.� Create an OAuth 2.0 client credential used by the tenant to access ImageWare GMI

ServerapplicationlayerandutilizetheGMIServerAPIfromthetenant’sclientservers.� Workwith representatives from the tenant to establish Administrative user roles for

bothGMIServerandtheGMIAdminPortal.

18 of 24 | Page

ImageWareSystem’sGMIAdminPortal

WhenTenantsestablisharelationshipwith ImageWareSystems, Inc., theyaregiventheGMIServerSDKcontainingall relevantAPI,andalsoareprovidedwitha login identity totheGMIAdmin Portal. This Admin Portal is aweb interface created for ImageWare’s Tenants, and isusedbytheTenant’sadministrativeuserstomanagethefollowing:

� TheirownTenantaccount� Anyend-usersattachedtotheiraccount,aswellasamechanismtomanageend-user’s:

▪ Messages;and▪ Devices*

� Theirownsystemadministratorcredentials*� Theirownclientservercredentials*;and� Anyapplications*orservicestheyusetocommunicatewithend-users

Some additional, useful features include the ability to push ad-hoc messages to end-users,review end-user statuses at-a-glance, bulk upload and download user lists, run reports onactivity, and add or delete credentials, users, and other required information in a real-time,easy-to-useenvironment.

*NOTE:NotalltenantshavebeengivenaccesstoallGMIAdminPortalrightsandcapabilities.Dependinguponyourdesignatedadministrativeuserrole,youmightnotseeallofthefeaturesdescribedinthissectionwhenusingtheGMIAdminPortal.

19 of 24 | Page

Chapter4:TestprovisioningtotheGMIServerendpoint

Provisionauser

1. ToprovisionauserinCAIdentityManager,navigatetoUsers→ManageUsers→ModifyUser.TheSearchforauserformopens.

2. SearchforandSelecttheUseryouwishtoprovisiontotheGMIendpoint.TheModifyUserformopens,withtheProfiletabopenedbydefault.

3. Enterormodifyanyofthefieldsonthistabasappropriate.

4. ClicktheProvisioningRolestab.Existingusersarelistedonthistab.

5. ClickAddaprovisioningrole.TheSearchforaprovisioningroleformopens.

6. Search for and Select the provisioning role you created inProvisioning Role. TheModifyUserform,ProvisioningRolestabnowcontainstheselecteduserrole.

7. CheckMemberand/orAdministratorcheckboxesforthisprovisioningrole

8. ClickSubmit.AConfirmationmessageshouldopen.ClickOK.

Modifyauser

GMIdoesnotstorePersonally Identifying Information(PII) for individualusers.Theonlydatashared between CA IdentityManager and GMI is theUser Name value defined in Createaccount template. The User Name value is immutable, therefore user modification is notsupported,nornecessary,forCAIdentityManagerprovisioningtoGMI.

Deprovisionauser

1. To deprovision a user in CA Identity Manager, navigate to Users→ Manage Users→ModifyUser.TheSearchforauserformopens.

2. SearchforandSelecttheUseryouwishtodeprovisionfromtheGMIendpoint.TheModifyUserformopens,withtheProfiletabopenedbydefault.

3. ClicktheProvisioningRolestab.Theselectedusershouldbeshownonthistab.

20 of 24 | Page

4. De-select theMemberorAdministrator checkbox for thisuser todeprovision them fromtheendpoint.

5. ClickSubmit.AConfirmationmessageshouldopen.ClickOK.

ConfirmthatuserwasprovisionedordeprovisionedintheGMIAdminPortal

Once you have provisioned (or deprovisioned) an end-user in CA IdentityManager, you canconfirm that the user has been added or removed as an end-user attached to your Tenantaccount in the GMI Admin Portal by navigating to the GMI Admin Portal, Users tab andperformingaSearch<Ctrl+F>orbybrowsingthroughthelistofexistingusersattachedtoyourTenantaccountintheUserstable.

21 of 24 | Page

Chapter5:ExceptionHandlingThefollowingtroubleshootingtipsmaybehelpfultokeepinmindduringsetup:

� TheclientcredentialsmustbevalidfortheGMIserverSCIMendpoint.� Inordertocorrectlyprovisionauser,theusermustnotalreadyexistontheGMIserver.� User names must be unique, therefore an email address or similar identifier is

suggested.� The IdentityManager User-User Name attribute valuemust be identical to theUser-

User Name value the person uses when registering themselves with the appropriateGoVerifyIDorGoVerifyID-compatibleapplication.

22 of 24 | Page

Chapter6:SummaryThefollowingisasummaryofkeystepsintheIdentityManagerprovisioningsetupprocess.

1. ConfigureImageWareSystems’GMIServertenanttorepresenttheCAIdentityManageruserbase.

2. Gather the client credentials and GMI Server SCIM endpoint details for use inconfiguringCAIdentityManager.

3. UsingCAIdentityManager'sadministrativeuserinterface,createtheappropriateSCIMendpointandassociatedAccountTemplateandProvisioningRoletodefineprovisioningfromIdentityManagertoGMIServer.

23 of 24 | Page

Appendices:CAScalabilityTesting

AppendixA:TestingChecklist

Scalability testing performed with test servers at CA in conjunction with the GMI SCIMinterface:

Test Name Complete # Users Time Result/CommentsExplore and Correlate against Endpoint � 250,000 ~6hours 250,000+userssuccessfullycorrelatedtoCAIM.

Bulk Load – Provisioning Create Users � 10,000 ~1hour

7oftotalwerenotprovisionedinCAIMandcorrectlynotprovisionedinGMI.Allotherssuccessfullyprovisioned.

Bulk Load – Provisioning Modify Users � N/A.GMIdoesnothaveanyattributesforPerson

Identitythatcanbemodified.Bulk Load – Provisioning Delete Users � 1,000 minutes Alluserssuccessfullydeleted.

Special Character Testing (See Appendix B) �

Additional CRUD Testing (See Appendix C) �

AppendixB:SpecialCharacterTesting

� CreateUsers in IMwithSpecialCharacters inthefieldsthatwillbeprovisionedtotheendpoint.

� Make sure to test users with the following characters:, \ / ! @ # $ % & * ( ) - _ + = ‘ “ : ; [ ] { } < > ^ ~ . ? |

○ The GMI System has a more limited set of special characters supported forUserID(whichistheonlyfieldprovisionedfromCAtoGMI).Thosecharactersare@ . _

� Provision,Update,andDe-Provisionthoseuserstotheendpoint.○ Testedsuccessfully.

AppendixC:AdditionalCRUDTesting

In addition to previous Create, Read, Update, and Delete (CRUD) testing that has beencompleted,itisimportanttoalsotestthefollowingasitappliestoyourendpoint:

� Delete and recreate the same users. Ensure that users are deleted and recreatedproperlyontheendpoint.

○ Testedsuccessfully.� Lockandsuspendusers.Ensurethattheseattributesaresetproperlyontheendpoint.

○ ThisdoesnotapplytoGMISystemintegration.

24 of 24 | Page

NOTE:ThisdoesnotapplytoGMISystemintegrationbecauselockedandsuspendedusersaremanagedbyCAIdentityManager,theSSOsystem,orotherCAsoftware.GMIprovidesuserbiometricidentityvalidationandauthenticationorrejectiontoCA.CAisresponsibleforgrantingtheuseraccesstoappropriateapplicationsbasedupontheirpermissions,specificallyuserstatus(active,locked,orsuspended).

� Passwordchanges,includingmustchangeonnextlogin,andpasswordexpired.Ensurethatthepasswordisresetandthattheseattributesaresetproperlyontheendpoint.

○ ThisdoesnotapplytoGMISystemintegration.

NOTE:ThisdoesnotapplytoGMISystemintegrationbecausepasswordpoliciesandrulesaremanagedbyCAIdentityManager,theSSOsystem,orotherCAsoftware.GMIprovidesuserbiometricidentityvalidationandauthenticationorrejectiontoCA.CAisresponsibleforgrantingtheuseraccesstoappropriateapplicationsbasedupontheirpermissions,specificallytheuser’spasswordpolicies.

� Relationship associations between primary object and secondary object (i.e.account/group). Ensure that these relationships are set and removedproperly on theendpoint.

○ ThisdoesnotapplytoGMISystemintegration.

NOTE:ThisdoesnotapplytoGMISystemintegrationbecauseprimaryandsecondaryobjects(suchasaccountsandgroups)aremanagedbyCAIdentityManager,theSSOsystem,orotherCAsoftware.GMIprovidesuserbiometricidentityvalidationandauthenticationorrejectiontoCA.CAisresponsibleforgrantingtheuseraccesstoappropriateapplicationsbasedupontheirpermissions,specificallypermissionsrelatedtotheirgroupmembership(s).

ItisimportanttoalsonotethatGMIdoesnotmanageormakeuseofgroups.GroupsandgroupmembershipareentirelytheresponsibilityofCA/CAsoftware.